Strong authentication tokens are a type of small portable handheld dedicated hardware security devices that are well known in the art. They allow service providers and applications to authenticate the possessor of the token, by providing dynamic passwords that could only be generated with knowledge of a secret or key that is shared between the authentication server employed by the service provider or application on the one hand, and the authentication token on the other hand. To generate dynamic passwords or one-time passwords, the strong authentication token applies a cryptographic algorithm to the shared secret and a dynamic variable, for example including one or more of a counter value, a value representing the present time, and a random challenge. Usually the dynamic password can only be used once, thus greatly enhancing the level of security with respect to static passwords. Some strong authentication tokens can also generate electronic signatures on transaction data. Strong authentication tokens are popular, especially to secure applications such as internet banking, because they offer a much higher level of security than static passwords combined with a high user convenience.
To generate dynamic passwords and electronic signatures and to handle data input and output e.g. by means of a keyboard and display, strong authentication tokens include some kind of data processing means such as a microprocessor.
Strong authentication tokens also typically include some non-volatile memory to store data such as configuration data, secrets (including the shared secret for the generation of dynamic passwords), counter values, PIN (personal identification number) values, etc. In many cases this non-volatile memory includes permanently powered RAM (random access memory).
Strong authentication tokens that generate dynamic passwords using a time value typically include a real-time clock.
Some strong authentication tokens have a smart card interface to allow the token device to communicate with a smart card. The smart card may be used to store data that is used for generating dynamic passwords or electronic signatures. The token may also delegate to the smart card a part or whole of the algorithm to generate dynamic passwords or electronic signatures.
To make as wide as possible the field of applicability, strong authentication tokens are designed to be fully autonomous and to not require any connection with other systems such as the user's client computer.
To avoid the need of a digital connection for data transfer between a strong authentication token and a system or application to be secured, strong authentication tokens typically have a display for communicating the generated dynamic credentials such as one-time passwords or electronic signatures to the end user, and a button or keypad to request the generation of a new credential and/or to enter challenges, transaction data, PIN codes, etc. Other known communicating devices for strong authentication tokens may include an auditory output generator.
To avoid the need for an external power supply strong authentication tokens are usually battery powered. To minimize the mechanical complexity of the token and potential hassle for the user these batteries are often not replaceable. In such cases the battery life time is often the limiting factor for the token's life time. Many typical strong authentication tokens require an electrical power supply operating at 5 volts. This supply voltage requirement may stem from usage of an LCD (liquid crystal display) display which for optimal contrast has to be driven at about 5 volts, and/or use of the token to supply electrical power to an inserted smart card which requires a 5 volts supply voltage, and/or use of optical components driven by the token power supply that are used to optically communicate with the token. 3-volt batteries are often used due to their relative low cost and small form factor. A typical strong authentication token therefore includes two 3-volt batteries that are connected in series so as to jointly provide a raw voltage of up to 6 volts which is down-regulated to a stabilised voltage of 5 volts.
For improved portability and ease of logistics (e.g. distribution via mail services) strong authentication tokens are preferably as compact and lightweight as possible. Some strong authentication tokens have the form factor of plastic cards with similar dimensions as credit cards. This considerably limits the size, and hence the capacity, of batteries used in credit card shaped strong authentication tokens.
Strong authentication tokens are meant to be used on a massive scale and hence are subject to a significant cost pressure. To control costs it is preferable that the number and costs of components is minimized.
The discussion of the background to the invention herein is included to explain the context of the invention. This shall not be taken as an admission that any of the material discussed above was published, known or part of the common general knowledge at the priority date of this application.